Qualys was able to remotely exploit a mail server running Exim mail software but it's unclear what other software might be vulnerable. (They are working on a metapsloit module specifically for the Exim exploit)

Regarding other Linux server software Qualys wrote:

"to the best of our knowledge, the buffer overflow cannot be triggered in any of [these]:

The YELLOW highlighted data is a WordPress "Patsy Proxy" site while the ORANGE highlighted data is the DDoS target/victim website. In this scenario, the XML-RPC "pingback" code in PHP is using the gethostbyname() function call on the ORANGE highlighted data so that it can resolve it to an IP address for the remote request it will send. This is the exploit vector we chose to focus on for GHOST testing.

Modifying Input for GHOST Vulnerability Testing

Instead of sending a normal sized URL in the XML pingback.ping method body, we need to send a large one. Here is a Ruby PoC script:

The script takes command line arguments for the size of payload that you want to send. During our testing in SpiderLabs Research, we identified different size ranges that worked on different platform/versions of glibc, php and wordpress. After sending the attack payload, we have seen the HTTP process responds with the following:

500 HTTP Response Status code with php-cgi

No HTTP Response with mod_php

There are errors in the Apache error_log file when the process crashes:

This PoC allows users to remotely verify if a target web server is vulnerable to the CVE however it does not demonstrate exploitability. Here is the glibc and php version information for the two systems we used during this test:

Disable XML-RPC

Disable Pingback Requests

You may also disable the pingback feature by adding the following to your functions.php file:

WAF Protections

By using a WAF, you can identify initial pingback XML requests on your Wordpress site and look for attacks. The Trustwave WAF has a profiling and learning engine called "Adaption" that is able to identify these types of anomalies vs. normal user traffic. We have also added rules to our commercial SpiderLabs ModSecurity rules package to identify this specific PoC attack vector.

Monitor Your Logs

When attackers are attempting to exploit this vulnerability against your web servers, there will most likely be error messages (segmentation faults, etc...) that will indicate a problem. Organizations should be vigilant in monitoring their logs and following up on an anomalous errors.

Acknowledgments

I would like to thank my fellow SpiderLabs Research colleagues who helped with testing and the content of this blog post: